mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 09:12:45 +01:00
32 lines
1.2 KiB
Plaintext
32 lines
1.2 KiB
Plaintext
{% set es = salt['pillar.get']('static:masterip', '') %}
|
|
{% set hivehost = salt['pillar.get']('static:masterip', '') %}
|
|
{% set hivekey = salt['pillar.get']('static:hivekey', '') %}
|
|
alert: modules.so.thehive.TheHiveAlerter
|
|
|
|
hive_connection:
|
|
hive_host: https://{{hivehost}}/thehive/
|
|
hive_apikey: {{hivekey}}
|
|
|
|
hive_proxies:
|
|
http: ''
|
|
https: ''
|
|
|
|
hive_alert_config:
|
|
title: '{rule[name]} -- {match[osquery][hostname]} -- {match[osquery][name]}'
|
|
type: 'osquery'
|
|
source: 'SecurityOnion'
|
|
description: "`Play:` https://{{es}}/playbook/issues/6000 \n\n `View Event:` <https://{{es}}/kibana/app/kibana#/discover?_g=()&_a=(columns:!(_source),interval:auto,query:(language:lucene,query:'_id:{match[_id]}'),sort:!('@timestamp',desc))> \n\n `Hostname:` __{match[osquery][hostname]}__ `Live Query:`__[Pivot Link](https://{{es}}/fleet/queries/new?host_uuids={match[osquery][LiveQuery]})__ `Pack:` __{match[osquery][name]}__ `Data:` {match[osquery][columns]}"
|
|
severity: 2
|
|
tags: ['playbook','osquery']
|
|
tlp: 3
|
|
status: 'New'
|
|
follow: True
|
|
caseTemplate: '5000'
|
|
|
|
|
|
hive_observable_data_mapping:
|
|
- ip: '{match[osquery][EndpointIP1]}'
|
|
- ip: '{match[osquery][EndpointIP2]}'
|
|
- other: '{match[osquery][hostIdentifier]}'
|
|
- other: '{match[osquery][hostname]}'
|